feat(transport): Integrate with enterprise certificate proxy (#1570)

Enterprise Certificate Proxy (https://github.com/googleapis/enterprise-certificate-proxy) is the new preferred solution for certificate based access on the client-side, since it integrates directly with the native OS keystores and does not expose the underlying private key. This new solution leverages the ECP client to replace the existing SecureConnect cert provider code-path for devices with the new ECP configuration file and helper binaries installed. (The ECP configuration file and helper binaries will eventually be distributed and managed through gCloud SDK).

High-level change-list summary:

- Refactored default_cert.go to split out SecureConnectSource into it's own file.
- Added EnterpriseCertificateProxySource, a new client certificate source that uses the ECP client.
- Updated tests and comments and added more test coverage.
- Updated go.mod to include the new dependency.

Note that this change is safe and backwards compatible, since the ECP configuration file will not be present on devices without ECP binaries installed, in which case the DefaultSource will fall back to using SecureConnect. Furthermore, both the new ECP code-path and the old SecureConnect code-path are gated behind the env-var GOOGLE_API_USE_CLIENT_CERTIFICATE today.

go.mod

@@ -5,6 +5,7 @@ go 1.15
 require (
 	cloud.google.com/go/compute v1.6.1
 	github.com/google/go-cmp v0.5.8
+	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa
 	github.com/googleapis/gax-go/v2 v2.4.0
 	go.opencensus.io v0.23.0
 	golang.org/x/net v0.0.0-20220607020251-c690dde0001d

go.sum

@@ -157,6 +157,8 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa h1:7MYGT2XEMam7Mtzv1yDUYXANedWvwk3HKkR3MyGowy8=
+github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=

transport/cert/default_cert.go

@@ -14,32 +14,19 @@ package cert
 
 import (
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/json"
 	"errors"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"os/user"
-	"path/filepath"
 	"sync"
-	"time"
-)
-
-const (
-	metadataPath = ".secureConnect"
-	metadataFile = "context_aware_metadata.json"
 )
 
 // defaultCertData holds all the variables pertaining to
 // the default certficate source created by DefaultSource.
+//
+// A singleton model is used to allow the source to be reused
+// by the transport layer.
 type defaultCertData struct {
-	once            sync.Once
-	source          Source
-	err             error
-	cachedCertMutex sync.Mutex
-	cachedCert      *tls.Certificate
+	once   sync.Once
+	source Source
+	err    error
 }
 
 var (
@@ -49,93 +36,23 @@ var (
 // Source is a function that can be passed into crypto/tls.Config.GetClientCertificate.
 type Source func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
 
-// DefaultSource returns a certificate source that execs the command specified
-// in the file at ~/.secureConnect/context_aware_metadata.json
+// errSourceUnavailable is a sentinel error to indicate certificate source is unavailable.
+var errSourceUnavailable = errors.New("certificate source is unavailable")
+
+// DefaultSource returns a certificate source using the preferred EnterpriseCertificateProxySource.
+// If EnterpriseCertificateProxySource is not available, fall back to the legacy SecureConnectSource.
 //
-// If that file does not exist, a nil source is returned.
+// If neither source is available (due to missing configurations), a nil Source and a nil Error are
+// returned to indicate that a default certificate source is unavailable.
 func DefaultSource() (Source, error) {
 	defaultCert.once.Do(func() {
-		defaultCert.source, defaultCert.err = newSecureConnectSource()
+		defaultCert.source, defaultCert.err = NewEnterpriseCertificateProxySource("")
+		if errors.Is(defaultCert.err, errSourceUnavailable) {
+			defaultCert.source, defaultCert.err = NewSecureConnectSource("")
+			if errors.Is(defaultCert.err, errSourceUnavailable) {
+				defaultCert.source, defaultCert.err = nil, nil
+			}
+		}
 	})
 	return defaultCert.source, defaultCert.err
 }
-
-type secureConnectSource struct {
-	metadata secureConnectMetadata
-}
-
-type secureConnectMetadata struct {
-	Cmd []string `json:"cert_provider_command"`
-}
-
-// newSecureConnectSource creates a secureConnectSource by reading the well-known file.
-func newSecureConnectSource() (Source, error) {
-	user, err := user.Current()
-	if err != nil {
-		// Ignore.
-		return nil, nil
-	}
-	filename := filepath.Join(user.HomeDir, metadataPath, metadataFile)
-	file, err := ioutil.ReadFile(filename)
-	if os.IsNotExist(err) {
-		// Ignore.
-		return nil, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	var metadata secureConnectMetadata
-	if err := json.Unmarshal(file, &metadata); err != nil {
-		return nil, fmt.Errorf("cert: could not parse JSON in %q: %v", filename, err)
-	}
-	if err := validateMetadata(metadata); err != nil {
-		return nil, fmt.Errorf("cert: invalid config in %q: %v", filename, err)
-	}
-	return (&secureConnectSource{
-		metadata: metadata,
-	}).getClientCertificate, nil
-}
-
-func validateMetadata(metadata secureConnectMetadata) error {
-	if len(metadata.Cmd) == 0 {
-		return errors.New("empty cert_provider_command")
-	}
-	return nil
-}
-
-func (s *secureConnectSource) getClientCertificate(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
-	defaultCert.cachedCertMutex.Lock()
-	defer defaultCert.cachedCertMutex.Unlock()
-	if defaultCert.cachedCert != nil && !isCertificateExpired(defaultCert.cachedCert) {
-		return defaultCert.cachedCert, nil
-	}
-	// Expand OS environment variables in the cert provider command such as "$HOME".
-	for i := 0; i < len(s.metadata.Cmd); i++ {
-		s.metadata.Cmd[i] = os.ExpandEnv(s.metadata.Cmd[i])
-	}
-	command := s.metadata.Cmd
-	data, err := exec.Command(command[0], command[1:]...).Output()
-	if err != nil {
-		// TODO(cbro): read stderr for error message? Might contain sensitive info.
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(data, data)
-	if err != nil {
-		return nil, err
-	}
-	defaultCert.cachedCert = &cert
-	return &cert, nil
-}
-
-// isCertificateExpired returns true if the given cert is expired or invalid.
-func isCertificateExpired(cert *tls.Certificate) bool {
-	if len(cert.Certificate) == 0 {
-		return true
-	}
-	parsed, err := x509.ParseCertificate(cert.Certificate[0])
-	if err != nil {
-		return true
-	}
-	return time.Now().After(parsed.NotAfter)
-}

transport/cert/enterprise_cert.go

@@ -0,0 +1,56 @@
+// Copyright 2022 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package cert contains certificate tools for Google API clients.
+// This package is intended to be used with crypto/tls.Config.GetClientCertificate.
+//
+// The certificates can be used to satisfy Google's Endpoint Validation.
+// See https://cloud.google.com/endpoint-verification/docs/overview
+//
+// This package is not intended for use by end developers. Use the
+// google.golang.org/api/option package to configure API clients.
+package cert
+
+import (
+	"crypto/tls"
+	"errors"
+	"os"
+
+	"github.com/googleapis/enterprise-certificate-proxy/client"
+)
+
+type ecpSource struct {
+	key *client.Key
+}
+
+// NewEnterpriseCertificateProxySource creates a certificate source
+// using the Enterprise Certificate Proxy client, which delegates
+// certifcate related operations to an OS-specific "signer binary"
+// that communicates with the native keystore (ex. keychain on MacOS).
+//
+// The configFilePath points to a config file containing relevant parameters
+// such as the certificate issuer and the location of the signer binary.
+// If configFilePath is empty, the client will attempt to load the config from
+// a well-known gcloud location.
+func NewEnterpriseCertificateProxySource(configFilePath string) (Source, error) {
+	key, err := client.Cred(configFilePath)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			// Config file missing means Enterprise Certificate Proxy is not supported.
+			return nil, errSourceUnavailable
+		}
+		return nil, err
+	}
+
+	return (&ecpSource{
+		key: key,
+	}).getClientCertificate, nil
+}
+
+func (s *ecpSource) getClientCertificate(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+	var cert tls.Certificate
+	cert.PrivateKey = s.key
+	cert.Certificate = s.key.CertificateChain()
+	return &cert, nil
+}

transport/cert/enterprise_cert_test.go

@@ -0,0 +1,45 @@
+// Copyright 2022 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package cert
+
+import (
+	"errors"
+	"testing"
+)
+
+func TestEnterpriseCertificateProxySource_ConfigMissing(t *testing.T) {
+	source, err := NewEnterpriseCertificateProxySource("missing.json")
+	if got, want := err, errSourceUnavailable; !errors.Is(err, errSourceUnavailable) {
+		t.Fatalf("NewEnterpriseCertificateProxySource: with missing config; got %v, want %v err", got, want)
+	}
+	if source != nil {
+		t.Errorf("NewEnterpriseCertificateProxySource: with missing config; got %v, want nil source", source)
+	}
+}
+
+// This test launches a mock signer binary "test_signer.go" that uses a valid pem file.
+func TestEnterpriseCertificateProxySource_GetClientCertificateSuccess(t *testing.T) {
+	source, err := NewEnterpriseCertificateProxySource("testdata/enterprise_certificate_config.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	cert, err := source(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.Certificate == nil {
+		t.Error("getClientCertificate: got nil, want non-nil Certificate")
+	}
+	if cert.PrivateKey == nil {
+		t.Error("getClientCertificate: got nil, want non-nil PrivateKey")
+	}
+}
+
+// This test launches a mock signer binary "test_signer.go" that uses an invalid pem file.
+func TestEnterpriseCertificateProxySource_InitializationFailure(t *testing.T) {
+	_, err := NewEnterpriseCertificateProxySource("testdata/enterprise_certificate_config_invalid_pem.json")
+	if err == nil {
+		t.Error("NewEnterpriseCertificateProxySource: got nil, want non-nil err")
+	}
+}